Nearly half of all organizations have critical security debt–high-risk flaws in their applications that go unremediated for more than a year–and more than 70 percent of organizations have security debt overall, according to a new study on enterprise software security trends.
There are a number of factors that contribute to the existence of known security flaws in applications over the long term, not the least of which are the high volume of bugs published every year and the need to allocate scarce developer resources to other tasks.
“Security debt is endemic. It’s everywhere,” said Chris Eng, chief research officer at Veracode, which published the latest version of its State of Software Security report on Wednesday, much of which focused on the issue of security debt.
Interestingly, though security debt exists in the vast majority of organizations, it is not evenly distributed among organizations or across applications. Larger applications are more likely to have security debt and critical security debt than small and medium-sized apps. And in general, the older the app, the more security debt it carries, according to Veracode’s data. Also, development teams tend not to prioritize fixing the more-serious flaws over less-serious ones.
“It is a choice they have to make and when it comes to working down the debt, are they doing it in the most efficient way? They’re not. They’re fixing critical and normal flaws at basically the same rate,” Eng said.
“I don’t think it’s being dictated by the people who are thinking about risk management. It could be something the developer thinks is easier to fix or actually is easier to fix, or maybe there’s just so much in front of them that they’re making the decisions as best they can.”
“This all comes down to better habits."
Most modern applications are a complex mix of first- and third-party code, often including open source libraries and other components that in-house development teams don’t have any control over. That can make addressing known security flaws even more challenging. Veracode’s data shows that 63 percent of apps have vulnerabilities in first-party code, while 70 percent have vulnerabilities in third-party code. The bugs in third-party code are more likely to end up becoming security debt, too. According to Veracode’s data, flaws in third-party code have a 48 percent likelihood of turning into security debt, while flaws in first-party code have a 41 percent chance.
“They have to draw the line somewhere and most of the security debt is in first-party code, but most critical security debt is in third-party code, and honestly I was initially surprised by that. But then I thought about the fact that developers never update libraries and CVEs are coming out all the time,” Eng said.
In terms of improving an organization’s skill at fixing flaws, Eng said it generally comes down to improving the organization’s capacity, its prioritization, or its efficiency. None of those is a simple change to make. Increasing capacity generally means spending more money on developers, tools, or both. And shifting priorities means taking resources away from other tasks.
“This all comes down to better habits,” Eng said.